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(54) SECURITY SYSTEM BY MULTIPLEX SYSTEM PARALLEL OPERATED COMPUTERS 

(57)Abstract: 

PROBLEM TO BE SOLVED: To secure the security of systems to be 
simultaneously and parallel operated without altering the systems by 
making a monitoring system monitor the contents of inter-system 
communications with the other system and an illegal inter-system 
communication control from the other system and preventing the 
influence of an illegal intrusion and control when an illegality is 
detected except for the monitoring system. 
SOLUTION: A multiplex system parallel operation kernel 300 
simultaneously and parallel operates plural systems on one 
computer. A system interruption control part 301 controls the 
interruption between respective systems and performs assigning or 
scheduling of processors. Besides, a system operation memory 
space managing part 302 manages the memories of respective 
systems anff assigns memories for each of respective systems. 
When an illegal access is performed from one system to the multiplex system parallel operation kernels 
300, the multiplex system parallel operation kernel 300 enables a general system itself to stop while using 
a system start/end control part 304. 
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CLAIMS 

[Claim(s)] 

[Claim 1]ln environment where information is delivered by other systems and intersystem communications 
by a supervising system which is at least one system taking the lead by a computer which carries out 
simultaneous parallel operation of two or more systems on one computer, The contents of intersystem 
communication with a system of at least others [ supervising system / said ], Certification information and 
unjust intersystem communication control from other systems are supervised, A security system by a 
multiplex system parallel operation computer when [ said ] supervising system detection is carried out 
[ performed / except said supervising system / an unjust invasion or unjust control ], wherein influence of 
an unjust invasion and control does not attain to said supervising system at least. 

[Claim 2]A security system by a multiplex system parallel operation computer, wherein two or more system 
action environment where it operates on one computer operates in claim 1 in an environment which 
completely became independent. 

[Claim 3]A security system by a multiplex system parallel operation computer being able to assign two or 
more systems which operate on one computer in claim 1 as hardware to which each manages hardware 
which exists on one computer at the time of computer starting. 

[Claim 4]A security system by a multiplex system parallel operation computer, wherein communication 
between two or more systems which operate on one computer is possible and access restriction can set it 
to intersystem communication inside said apparatus by intersystem communication inside apparatus in 
claim 1. 

[Claim 5]When an unjust invasion and unjust control are performed to one system in claim 1, A security 
system by a multiplex system parallel operation computer which ends and resets without reset of an 
apparatus power supply only a system by which said unauthorized entry and control were performed, and 
is characterized by influence not attaining to other systems. 

[Claim 6]Via a public circuit at least to one computer for relay of a system which performs communications 
control. Use a computer in which two or more systems of claim 1 carry out simultaneous parallel operation, 
and the inner 1 ** of two or more of said systems becomes a supervising system, and supervises other 
systems, Provide environment which connected a supervising system to an internal circuit and other 
systems connected to an external public circuit, respectively, and said provided environment, To a system 
connected to a public circuit at least by using the feature of claims 1, 2, 3, 4, and 5, an unjust invasion from 
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the outside, A security system by a multiplex system parallel operation computer being able to provide 
environment of safety where influence of said unjust invasion, control, and an attack does not reach. in an 
internal circuit even when control and an attack are delivered. 

[Claim 7]A security system by a multiplex system parallel operation computer, wherein a public circuit of 
claim 6 includes the Internet, intranet, and extranet at least. 

[Claim 8]A security system by a multiplex system parallel operation computer by which a firewall and a 
packet converter being included at least in a computer for relay of claim 6. 



[Translation done.] 
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DETAILED DESCRIPTION 

[Detailed Description of the Invention] 
[0001] 

[Field of the lnvention]This invention relates to the security system provided by the computer which can 

carry out simultaneous parallel operation of two or more systems on a single computer. 

[0002]The communications control security at the time of accessing a public circuit including especially the 

Internet, intranet, and extranet into a specific site from the client on said public circuit in the network used 

as a backbone circuit is included at least. 

[0003] 

[Description of the Prior Art]a former and single computer top - if - in order to carry out unitary control of 
the hardware, it was common that one system operated. Even when comparing and working two or more 
systems, it was made to operate as a virtual computer like JP,7-129419,A, and, as for hardware 
control/resource control, the base system of the virtual machine was performing all. Therefore, a possibility 
that security will be easily broken by unjust invasion/operation to a base system was high. 
[0004]A public circuit including especially the Internet, intranet, and extranet in the network used as a 
backbone circuit. It was common to have used the computer machines which combined a single system or 
single system apparatus in the communications control at the time of accessing into a specific site from the 
client on said public circuit as a security translator for communications controls. That is, security 
reservation of said computer for translators was an important technical problem in the same system. 
[0005] 

[Problem(s) to be Solved by the lnvention]ln this invention, the environment where simultaneous parallel 
operation of two or more systems is carried out on a single computer is used, and the security of the 
systems which are carrying out simultaneous parallel operation is secured, without converting the system 
itself. According to this invention, the security of mutual systems, Even when the supervising system which 
controls the original multiplex system parallel operation kernel which moves by a base, and said multiplex 
system parallel operation kernel takes charge and unjust invasion is carried out to one system, the security 
which does not have influence in other systems is provided. Even when it invades into the system of one 
metaphor from the outside and unlawful access is able to be tried via said kernel, ending the system itself 
accessed when the supervising system checked the operation etc. offers the purpose environment where 
the secondary influence of the system on others is prevented. 
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[0006]ln the network which uses the public circuit which includes the Internet, intranet, and extranet which 
are increasing by leaps and bounds now by using the aforementioned security especially as a backbone 
circuit, It is also at least one purpose to provide the communications control security function at the time of 
accessing into a specific site from the client of said public circuit point. It realizes, when said two or more 
systems use the computer in which simultaneous parallel operation is possible for the computer for 
translators generally used by said communications control now and specifically carry out security 
reservation to it. 
[0007] 

[Means for Solving the Problem]A means for realizing an aforementioned problem is explained using 
drawing 1 . 

[0008]ln the first place, this invention has a means to carry out simultaneous parallel operation of two or 
more systems on one computer. A 300 multiplex-system parallel operation kernel of drawing 1 provides 
said means. A 301 system interruption control section controls interruption between each system, and, 
specifically, performs assignment and scheduling of a processor. The 302 system-action memory space 
Management Department manages a memory of each system, and performs memory assignment for every 
system. That is, a multiplex system parallel operation kernel (300) is completely [ each system ] 
controllable, and when unlawful access is performed from one system to a multiplex system parallel 
operation kernel (300), a stop of the general-purpose system itself of it is also attained using a 304 system- 
startup end controlling part. 

[0009]lt exists on one computer the second, and has a means to conceal hardware which is carrying out 
original management for every system from other systems. A 305 hardware quota system part of drawing 1 
provides said means. A hardware quota system part (305) manages hardware (401 and 402) which each 
system manages uniquely, and hardware (400) which a system has by common use, It becomes possible 
to dissociate from other systems and to conceal hardware which has. a function which assigns each 
hardware to each system at the time of starting, and one system has with said function. 
[0010]lt has a means to control communication between two or more systems which carry out 
simultaneous parallel operation on one computer to the third. An interior communication control section 
between 303 systems in a 300 multiplex-system parallel operation kernel of drawing 1 provides said 
means. Uniquely, the interior communication control section between 303 systems can provide a function 
between mutual systems which communicates, and can also provide a function to provide access 
restriction in communication between systems as occasion demands without communication to the 
computer exterior, such as a network. 

[0011]One system which operates on one computer can be realized without reconstruction of security 
which does not have on other systems of the system itself using the above means, It is available as a 
system of a translator which provides an advanced communications control security function at the time of 
accessing into a specific site from a client of the public circuit point. 
[0012] 

[Embodiment of the lnvention]One example of this invention is described using a drawing. 
[0013] Drawing 1 is a figure explaining the system configuration of this invention. 100 is one computer. 201 
and 202 are systems which operate on a computer (100), and are an operating system (OS) which exists 
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in a world at least, and the software for computing control containing middle software. 300 is a multiplex 
system parallel operation kernel which operates on a computer (100), and is a system for operating two or 
more said systems (201, 202) on one computer. In a multiplex system parallel operation kernel (300), a 
301 system interruption control section, the 302 system-action memory space Management Department, 
the interior communication control section between 303 systems, and a 304 system-startup end controlling 
part exist. In a multiplex system parallel operation kernel (300), one function of the 305 hardware quota 
system part which manages the hardware which exists in a computer and enables hardware assignment 
for every system exists. 401 is the hardware in the computer (100) managed by the system 1 (201), and 
402 is the hardware in the computer (100) managed by the general-purpose system 2 (202). On the other 
hand, 400 is hardware which all the systems which exist in a computer (100) use by common use. In this 
example, in order to explain simply, the system which operates within one computer (100) was set to two, 
but these can be existed by more than one. 

[001 4]A multiplex system parallel operation kernel (300) rises at the time of computer (100) starting, and 
fixes the environment for operating two or more systems (201, 202). The 302 system-action memory space 
Management Department assigns required memory space for every system, . and loading of each system of 
it is attained on the assigned memory space. A 301 system interruption control section assigns the 
processor which each system uses at the time of starting. Of course, this assignment is a case where two 
or more processors exist in a computer (100), and when there is only one processor, a system interruption 
control section (301) manages the interruption scheduling of an after-starting processor, and it controls to 
pass processing to each system if needed. 

[0015]Operation becomes possible, without simultaneous-standing in a row as mentioned above, and 
moreover two or more systems in an one computer top adding change and reconstruction independently to 
the system itself. 

[001 6]A hardware quota system part (305) also functions as a part of multiplex system parallel operation 
kernel (300) at the time of computer (100) starting, and the hardware (401, 402) which each system 
manages uniquely, and the hardware (400) used by common use are assigned. When hardware carries 
out information acquisition from a system (201, 202) accessible in an after-starting user, System 1 
management hardware (401) and system common management hardware (400) can acquire the system 2 
management hardware (402) from the system 2 (202), and system common management hardware (400) 
from the system 1 (201). That is, in the system 2 (202), in the hardware information and the system 1 (201) 
which the self-system has not managed, the information on system 1 management hardware (401) cannot 
detect system 2 management hardware (402), and even the existence can detect it no longer. 
[0017]By using the function explained above, two or more computer environment which completely 
became independent is realizable on one computer. 

[001 8]A multiplex system parallel operation kernel (300) carries out agency control of the interior 
communication between two or more systems which operate on it. This is realized by the interior 
communication control section between 303 systems. In order that said interior communication may not 
disseminate information to the exterior at all, compared with actually communicating among two or more 
computers, that the communication content is intercepted has high safety few. Since it is only that a 
communications interface appears from a system, unless the structure of a multiplex system parallel 
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operation kernel (300) is known, there are also few possibilities that the communication content will be 
decoded. It is also possible to set up access restriction by communication between systems if needed. For 
example, when communicating by the system 1 (201) and the system 2 (202), communication of only the 
demand from the system 2 (202) and its response is permitted, and the needed information from the 
system 1 (201) can also perform setting out which is disregarded. The case where there is injustice of 
access restriction from the system 1 (201) when the above-mentioned access restriction is set up, When it 
is detected by the system 2 (202) side that unjust operation/control are performed by the inaccurate 
invader on the system 1 (201), where a computer (100) is started, it also becomes possible through a 304 
general-purpose system startup end controlling part to perform an end and reboot of the system 1 (201). 
[0019]Also when an inaccurate invader performs unjust operation/control by taking composition like 
drawing 1 to the system which operates on a computer as I understand by the above explanation, high 
correspondence of safety is always attained. 

[0020]Next, drawing 4 explains the example of 1 use of this invention from drawing 2 . However, this is an 
example of 1 use to the last, and here where various security effects are induced by taking the same 
composition is possible for it. 

[0021] Drawing 2 is a figure showing the composition of the communications control at the time of 
accessing a public circuit including the Internet, intranet, and extranet which are generally used now into a 
specific site from the client on said public circuit in the network used as a backbone circuit. 
[0022]The composition contents of drawing 2 are explained. 1000 is an external client computer. Interface 
hardware for 1001 to communicate an external client computer (1000). A LAN board/card, a modem, etc. 
are mentioned as a general example. The system by which 1002 works on an external client computer 
(1000). 1003 is client software which operates on said system (1002). The public line whose 2000 is a 
channel of a demand/reply packet of said client software (1003). The specific site in which said client 
software (1003) is the destination about a demand/reply packet 3000. The network site closed as an 
example in the internal network of the company is mentioned, and said site holds both access points of the 
internal network in a public line (2000) and a company. 3100 is a public line (2000) in a specific site (3000), 
and a network for security located in the middle of the internal network in a specific site (3000), and is 
generally called a boundary network. 31 10 is between a public line (2000) and a boundary network (3100), 
is information machines and equipment which filter the communication packet which goes a mutual 
network back and forth, and is generally called an external router. The external<-> boundary 
communication control part which 31 1 1 is an external router (3110) and actually provides the filtering 
function of a packet.~The boundary server computer which 3120 has on a boundary network (3100) and 
performs a justification check and attestation of the communication from client software (1003). Interface 
hardware for 3121 to communicate a boundary server computer (3120). The system by which 3122 works 
on a boundary server computer (3120). 3123 is server software which operates on said system (3122), and 
is called a boundary server. The client specification processing corresponding point which 3124 performs a 
justification check and attestation of the communication from client software (1003) on said boundary 
server (3123), and transmits a processing packet to the internal network of a specific site (3000) as 
occasion demands. 3200 is an internal network in a specific site (3000). 3210 is between a boundary 
network (3100) and an internal network (3200), is information machines and equipment which filter the 
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communication packet which goes a mutual network back and forth, and is generally called an internal 
router. The internal<-> boundary communication control part which 3211 is an external router (3210) and 
actually provides the filtering function of a packet. The internal server computer which 3220 has in an 
internal network and performs internal processing etc. in response to processing of the client in an internal 
network (3200), etc., and the processing from the client specification processing corresponding point 
(3124) on a boundary server computer (3120). 3230 is an internal client computer in an internal network 
(3200). In this invention, in order to explain simply, the computer was written with very little composition, 
but many apparatus which plays the same role as the case of being actual exists. 

[0023]Next, a communications processing flow in case an external client computer (1000) accesses to the 
internal network (3200) in a specific site (3000) is explained using drawing 3 . Processing is started by 
4000. By 4001, the client software (1003) on an external client computer (1000) publishes the processing 
request packet to a specific site (3000). Although the final address of said processing request packet is the 
internal server computer (3220) and internal client computer (3230) on an internal network (3200), the 
packet request destination actually published is a boundary server computer (3120) on a boundary network 
(3100). By 4002, the processing request packet which the external client computer (1000) published is sent 
to an external router (31 10) via a public circuit (2000). The processing request packet by which packet 
filtering of the external<-> boundary communication control part (3111) in an external router (3110) was 
performed, the address and the packet kind were judged, and justification was checked by 4003 is sent to 
a boundary server computer (3120). Here, processing is ended when the justification of a packet is 
inaccurate (4010). 

[0024]The processing request packet which reached the boundary server computer (3120) in 4004, It is 
sent to the boundary server (3123) in a boundary server computer (3120), and by a client specification 
processing corresponding point (3124). If check of the contents of a packet and attestation of delivery 
origin are performed and justification is checked, in order to newly send to an internal network (3200) from 
a client specification processing corresponding point (3124), packet conversion and required authenticating 
processing are performed and a packet sends to an internal router (3210). Here, processing is ended when 
attestation of case [ where the justification of the contents of a packet is inaccurate ], and delivery origin 
goes wrong (4010). The packet by which packet filtering of the internal<-> boundary communication control 
part (321 1) in an internal router (3210) was performed, the packet kind after conversion was judged, or the 
check of the address was performed, and justification was checked by 4005 is sent in an internal network. 
[0025]On the other hand, processing will be ended, if a packet kind is inaccurate or an address check goes 
wrong (4010). By 4006, the packet which arrived at the internal network (3200) is sent to the internal server 
computer (3220) and internal client computer (3230) which perform processing eventually, and a 
processing demand is performed. The above is a series of communications processing flows in case an 
external client computer (1000) accesses to the internal network (3200) in a specific site (3000). 
[0026]Here, the problem of the security in the composition of drawing 2 is described. 
[0027]Generally, encryption of the contents, etc. are given, and the packet which flows through the inside 
of a public circuit (2000) and the network of a specific site (3100, 3200) is safely designed, even when 
tapping etc. are encountered comparatively. However, the system (3122) which operates as a base of the 
boundary server (3123) which exists on a boundary network (3100) generally comprises a circulation OS 
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and middle software, and the internal structure is easy to be analyzed. As a role of a boundary server 
(3123), The information from outside is processed and also the security level of the external router (31 10) 
is inevitably set up low in the meaning with the duty which disseminates information outside of filtering of a 
packet compared with the internal router (3210) in many cases. Therefore, it is easy for an external 
inaccurate invader to try the unjust invasion to the boundary server computer (3120) on a boundary 
network (3100), or to send in an inaccurate analysis program. 

[0028]When it is accessed illegally or an unjust program is sent in, the analysis and an alteration of the 
contents of a processing request packet sent, and also the analysis and the alteration of a packet which 
are sent to an internal network are performed. And the internal networks in a company etc. are eventually 
allowed invasion, sending of disclosure, a virus, etc. of extra sensitive information etc. is performed, and it 
suffers serious damage in many cases. Of course, as the measure, it is also possible to work considering 
the system (3122) on the boundary server computer (3120) of a boundary network (3100) as an original 
system. However, applications including the server which operates on a system in that case also need to 
prepare a completely original thing, and flexibility falls remarkably. 

[0029]ln order to solve the problem on said security, the lineblock diagram at the time of being adapted for 
the boundary server computer (3120) on a boundary network (3100) in the system configuration of this 
invention explained by drawing 1 is shown in drawing 4 . 

[0030]The composition contents of drawing 4 are explained. 1000, 1001, 1002, 1003, 2000, 3000, 3100, 
3110, 3111, 3120, 3121, 3122, 3122, 3123, 3124, 3200, 3210, 3211, 3220, and 3230 are together with the 
composition explained by drawing 2. 300 is the multiplex system parallel operation kernel explained by 
drawing 1 . The client specification processing demand preserving part which is a storing region for 3125 to 
save temporarily the processing request packet from an external client (1000). Interface hardware for 3126 
to perform communication with an internal server computer (3220) on a boundary server computer (3120). 
The supervising system with which 3127 performs contents supervision of a client specification processing 
demand preserving part, and the unfair operation/invasion monitoring of a system (3122). Interface 
hardware for 3321 to communicate an internal server computer (3220). The system by which 3222 works 
on an internal server computer (3220). 3223 is server software which operates on said system (3222), and 
is called an internal server. The client specification processing demand acquisition part from which 3224 
acquires the processing request packet from [ from a client specification processing demand preserving 
part (3125) ] an external client (1000) with directions of a supervising system (3127). The client 
specification processing internal network corresponding point for 3225 receiving a processing request 
packet from a client specification processing demand acquisition part, and sending a "processing request 
packet to the specification computer in an internal network. Interface hardware for 3226 to perform 
communication with a boundary server computer (3120) on an internal server computer (3220). Exclusive 
gateway LAN which is a network with which 3300 connects the communication-interface hardware (3326) 
of an internal server computer (3220), and the communication-interface hardware (3126) of a boundary 
server computer (3120). 

[0031 ]The feature of this composition just adopted as the boundary server computer (3120) the multiplex 
system operation kernel (300) explained by drawing 1 . Said multiplex system operation kernel (300) loads 
a supervising system (3127) besides the same system (3122) as usual at the time of boundary server 
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computer (3120) starting. These are realized in the system interruption control section (301) and system 
memory space management department (302) which were explained by drawing 1 . moreover - although 
said each system is operating on one computer - a system (3122) -- a boundary network (3100) - a 
supervising system (3127) - exclusive gateway LAN (3300) - it is completely connected with the separate 
network, respectively. The communication-interface hardware (3121, 3126) which each system manages 
also in hardware is constituted so that hardware information by the side of other systems cannot be 
detected. This is realized in the hardware quota system part (305) explained by drawing 1 . That is, the 
computer which completely has a separate security level constitutes the environment intermingled 
independently from on one computer. 

[0032]A supervising system (3127) is a multiplex system parallel kernel (300) course, and supervises the 
system (3122) side periodically. For this reason, as for the needed information from a reverse system 
(3122), the multiplex system parallel kernel (300) has performed setting out which is not received, although 
the needed information and the answer from a supervising system (3127) permit access. This is realized 
by the interior communication control section between systems explained by drawing 1 . If it seems that the 
system (3122) side has received, the processing request packet from an external client (1000), A 
supervising system (3127) sends directions to an internal server computer (3220) via exclusive gateway 
LAN (3300), an internal server computer (3220) acquires a processing request packet, and a processing 
request packet is eventually sent to the specification computer in an internal network. 
[0033]When an inaccurate person invades into the system (3122) on a boundary server computer (3120) 
or an unjust program etc. are sent in, Also when a supervising system (3127) detects and also unlawful 
access is tried by the multiplex system parallel kernel (300), A multiplex system parallel operation kernel 
(300) detects, and it is notified to a supervising system (3127), and the end/reboot by the side of a system 

(3122) are performed by directions of a supervising system (3127), and an administrator is notified of the 
notice. This is realized by the system startup end controlling part (304) explained by drawing 1 . 

[0034]A communications processing flow in case the external client computer (1000) using the composition 
of drawing 4 accesses drawing 5 to the internal network (3200) in a specific site (3000) is explained. Since 
processing until a processing request packet is sent to a boundary server computer (3120) is the same as 
that of drawing 3 , explanation after it is given here. Processing is started by 5000. The processing request 
packet which reached the boundary server computer (3120) in 5001 , It is sent to the boundary server 

(3123) in a boundary server computer (3120), and by a client specification processing corresponding point 

(3124) . When check of the contents of a packet and attestation of delivery origin are performed and 
justification is checked, it is stored in a client specification processing demand preserving part (3125) from 
a client specification processing corresponding point (3124). Here, processing is ended when attestation of 
case [ where the justification of the contents of a packet is inaccurate ], and delivery origin goes wrong 
(5010). A supervising system (3127) by 5002 via a multiplex system parallel operation kernel (300), When 
a client specification processing demand preserving part (3125) is checked and a processing request 
packet exists, if it is a just packet, by checking the contents of a packet via exclusive gateway LAN (3300), 
Directions of packet acquiring are taken out to the client specification processing demand acquisition part 
on an internal server (3223). Here, processing is ended when the justification of the contents is inaccurate 
(5010). By 5003, from a client specification processing demand preserving part (3125), a client 
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specification processing demand acquisition part acquires a processing packet, and sends the packet to a 
client specification processing internal network corresponding point (3225). By 5004, a client specification 
processing internal network corresponding point (3225) sends to the internal server computer (3220) and 
internal client computer (3230) which perform processing eventually, and a processing demand is 
performed. External client computers (1000) when the above uses the system configuration of this patent 
are a series of communications processing flows when accessing to the internal network (3200) in a 
specific site (3000). 

[0035]Explanation of one example of this invention is finished above. 
[0036] 

[Effect of the lnvention]This invention uses the environment where simultaneous parallel operation of two 
or more systems is carried out on a single computer, and secures without reconstruction of the system 
itself the security of the systems which are carrying out simultaneous parallel operation. Even when unjust 
invasion is carried out to the system of one metaphor, reservation of the security which performs a 
system's own end/reboot into which it was invaded, prevents the secondary influence of the system on 
others, and does not have on other systems is possible. 

[0037]A public circuit including especially the Internet, intranet, and extranet in the network used as a 
backbone circuit. In the communications control at the time of accessing into a specific site, security 
reservation of said ******** for communications controls is attained from the client on said public circuit. 



[Translation done.] 
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TECHNICAL FIELD 

[Field of the lnvention]This invention relates to the security system provided by the computer which can 
carry out simultaneous parallel operation of two or more systems on a single computer. 
[0002]The communications control security at the time of accessing a public circuit including especially the 
Internet, intranet, and extranet into a specific site from the client on said public circuit in the network used 
as a backbone circuit is included at least. 
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EFFECT OF THE INVENTION 

[Effect of the lnvention]This invention uses the environment where simultaneous parallel operation of two 
or more systems is carried out on a single computer, and secures without reconstruction of the system 
itself the security of the systems which are carrying out simultaneous parallel operation. Even when unjust 
invasion is carried out to the system of one metaphor, reservation of the security which performs a 
system's own end/reboot into which it was invaded, prevents the secondary influence of the system on 
others, and does not have on other systems is possible. 

[0037]A public circuit including especially the Internet, intranet, and extranet in the network used as a 
backbone circuit. In the communications control at the time of accessing into a specific site, security 
reservation of said ******** for communications controls is attained from the client on said public circuit. 
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TECHNICAL PROBLEM 

[Problem(s) to be Solved by the lnvention]ln this invention, the environment where simultaneous parallel 
operation of two or more systems is carried out on a single computer is used, and the security of the 
systems which are carrying out simultaneous parallel operation is secured, without converting the system 
itself. According to this invention, the security of mutual systems, Even when the supervising system which 
controls the original multiplex system parallel operation kernel which moves by a base, and said multiplex 
system parallel operation kernel takes charge and unjust invasion is carried out to one system, the security 
which does not have influence in other systems is provided. Even when it invades into the system of one 
metaphor from the outside and unlawful access is able to be tried via said kernel, ending the system itself 
accessed when the supervising system checked the operation etc. offers the purpose environment where 
the secondary influence of the system on others is prevented. 

[0006]ln the network which uses the public circuit which includes the Internet, intranet, and extranet which 
are increasing by leaps and bounds now by using the aforementioned security especially as a backbone 
circuit, It is also at least one purpose to provide the communications control security function at the time of 
accessing into a specific site from the client of said public circuit point. It realizes, when said two or more 
systems use the computer in which simultaneous parallel operation is possible for the computer for 
translators generally used by said communications control now and specifically carry out security 
reservation to it. 
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MEANS 

[Means for Solving the Problem]A means for realizing an aforementioned problem is explained using 
drawing 1 . 

[0008]ln the first place, this invention has a means to carry out simultaneous parallel operation of two or 
more systems on one computer. A 300 multiplex-system parallel operation kernel of drawing 1 provides 
said means. A 301 system interruption control section controls interruption between each system, and, 
specifically, performs assignment and scheduling of a processor. The 302 system-action memory space 
Management Department manages a memory of each system, and performs memory assignment for every 
system. That is, a multiplex system parallel operation kernel (300) is completely [ each system ] 
controllable, and when unlawful access is performed from one system to a multiplex system parallel 
operation kernel (300), a stop of the general-purpose system itself of it is also attained using a 304 system- 
startup end controlling part. 

[0009]lt exists on one computer the second, and has a means to conceal hardware which is carrying out 
original management for every system from other systems. A 305 hardware quota system part of drawing 1 
provides said means. A hardware quota system part (305) manages hardware (401 and 402) which each 
system manages uniquely, and hardware (400) which a system has by common use, It becomes possible 
to dissociate from other systems and to conceal hardware which has a function which assigns each 
hardware to each system at the time of starting, and one system has with said function. 
[0010]lt has a means to control communication between two or more systems which carry out 
simultaneous parallel operation on one computer to the third. An interior communication control section 
between 303 systems in a 300 multiplex-system parallel operation kernel of drawing 1 provides said 
means. Uniquely, the interior communication control section between 303 systems can provide a function 
between mutual systems which communicates, and can also provide a function to provide access 
restriction in communication between systems as occasion demands without communication to the 
computer exterior, such as a network. 

[0011]One system which operates on one computer can be realized without reconstruction of security 
which does not have on other systems of the system itself using the above means, It is available as a 
system of a translator which provides an advanced communications control security function at the time of 
accessing into a specific site from a client of the public circuit point. 
[0012] 
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[Embodiment of the lnvention]One example of this invention is described using a drawing. 
f0013l Drawing 1 is a figure explaining the system configuration of this invention. 100 is one computer. 201 
and 202 are systems which operate on a computer (100), and are an operating system (OS) which exists 
in a world at least, and the software for computing control containing middle software. 300 is a multiplex 
system parallel operation kernel which operates on a computer (100), and is a system for operating two or 
more said systems (201, 202) on one computer. In a multiplex system parallel operation kernel (300), a 
301 system interruption control section, the 302 system-action memory space Management Department, 
the interior communication control section between 303 systems, and a 304 system-startup end controlling 
part exist. In a multiplex system parallel operation kernel (300), one function of the 305 hardware quota 
system part which manages the hardware which exists in a computer and enables hardware assignment 
for every system exists. 401 is the hardware in the computer (100) managed by the system 1 (201), and 
402 is the hardware in the computer (100) managed by the general-purpose system 2 (202). On the other 
hand, 400 is hardware which all the systems which exist in a computer (100) use by common use. In this 
example, in order to explain simply, the system which operates within one computer (100) was set to two, 
but these can be existed by more than one. 

[001 4]A multiplex system parallel operation kernel (300) rises at the time of computer (100) starting, and 
fixes the environment for operating two or more systems (201, 202). The 302 system-action memory space 
Management Department assigns required memory space for every system, and loading of each system of 
it is attained on the assigned memory space. A 301 system interruption control section assigns the 
processor which each system uses at the time of starting. Of course, this assignment is a case where two 
or more processors exist in a computer (100), and when there is only one processor, a system interruption 
control section (301) manages the interruption scheduling of an after-starting processor, and it controls to 
pass processing to each system if needed. 

[0015]Operation becomes possible, without simultaneous-standing in a row as mentioned above, and 
moreover two or more systems in an one computer top adding change and reconstruction independently to 
the system itself. 

[001 6]A hardware quota system part (305) also functions as a part of multiplex system parallel operation 
kernel (300) at the time of computer (100) starting, and the hardware (401, 402) which each system 
manages uniquely, and the hardware (400) used by common use are assigned. When hardware carries 
out information acquisition from a system (201 , 202) accessible in an after-starting user, System 1 
management hardware (401) and system common management hardware (400) can acquire the system 2 
management hardware (402) from the system 2 (202), and system common management hardware (400) 
from the system 1 (201). That is, in the system 2 (202), in the hardware information and the system 1 (201) 
which the self-system has not managed, the information on system 1 management hardware (401) cannot 
detect system 2 management hardware (402), and even the existence can detect it no longer. 
[0017]By using the function explained above, two or more computer environment which completely 
became independent is realizable on one computer. 

[001 8]A multiplex system parallel operation kernel (300) carries out agency control of the interior 
communication between two or more systems which operate on it. This is realized by the interior 
communication control section between 303 systems. In order that said interior communication may not 
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disseminate information to the exterior at all, compared with actually communicating among two or more 
computers, that the communication content is intercepted has high safety few. Since it is only that a 

: communications interface appears from a system, unless the structure of a multiplex system parallel 
operation kernel (300) is known, there are also few possibilities that the communication content will be 
decoded. It is also possible to set up access restriction by communication between systems if needed. For 
example, when communicating by the system 1 (201) and the system 2 (202), communication of only the 
demand from the system 2 (202) and its response is permitted, and the needed information from the 
system 1 (201) can also perform setting out which is disregarded. The case where there is injustice of 
access restriction from the system 1 (201) when the above-mentioned access restriction is set up, When it 
is detected by the system 2 (202) side that unjust operation/control are performed by the inaccurate 

* invader on the system 1 (201), where a computer (100) is started, it also becomes possible through a 304 
general-purpose system startup end controlling part to perform an end and reboot of the system 1 (201). 
[0019]Also when an inaccurate invader performs unjust operation/control by taking composition like 
drawing 1 to the system which operates on a computer as I understand by the above explanation, high 
correspondence of safety is always attained. 

[0020]Next, drawing 4 explains the example of 1 use of this invention from drawing 2 . However, this is an 
example of 1 use to the last, and here where various security effects are induced by taking the same 
composition is possible for it. 

[0021] Drawing 2 is a figure showing the composition of the communications control at the time of 
accessing a public circuit including the Internet, intranet, and extranet which are generally used now into a 
specific site from the client on said public circuit in the network used as a backbone circuit. 
[0022]The composition contents of drawing 2 are explained. 1000 is an external client computer. Interface 
hardware for 1001 to communicate an external client computer (1000). A LAN board/card, a modem, etc. 
are mentioned as a general example. The system by which 1002 works on an external client computer 
(1000). 1003 is client software which operates on said system (1002). The public line whose 2000 is a 
channel of a demand/reply packet of said client software (1003). The specific site in which said client 
software (1003) is the destination about a demand/reply packet 3000. The network site closed as an 
example in the internal network of the company is mentioned, and said site holds both access points of the 
internal network in a public line (2000) and a company. 3100 is a public line (2000) in a specific site (3000), 
and a network for security located in the middle of the internal network in a specific site (3000), and is 
generally called a boundary network. 3110 is between a public line (2000) and a boundary network (3100), 
is information machines and equipment which filter the communication packet which goes a mutual 
network back and forth, and is generally called an external router. The external<-> boundary 
communication control part which 3111 is an external router (3110) and actually provides the filtering 
function of a packet. The boundary server computer which 3120 has on a boundary network (3100) and 
performs a justification check and attestation of the communication from client software (1003). Interface 
hardware for 3121 to communicate a boundary server computer (3120). The system by which 3122 works 
on a boundary server computer (3120). 3123 is server software which operates on said system (3122), and 
is called a boundary server. The client specification processing corresponding point which 3124 performs a i 
justification check and attestation of the communication from client software (1003) on said boundary 
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server (3123), and transmits a processing packet to the internal network of a specific site (3000) as 
occasion demands. 3200 is an internal network in a specific site (3000). 3210 is between a boundary 
network (3100) and an internal network (3200), is information machines and equipment which filter the 
communication packet which goes a mutual network back and forth, and is generally called an internal 
router. The internal<-> boundary communication control part which 3211 is an external router (3210) and 
actually provides the filtering function of a packet. The internal server computer which 3220 has in an 
internal network and performs internal processing etc. in response to processing of the client in an internal 
network (3200), etc., and the processing from the client specification processing corresponding point 
(3124) on a boundary server computer (3120). 3230 is an internal client computer in an internal network 
(3200). In this invention, in order to explain simply, the computer was written with very little composition, 
but many apparatus which plays the same role as the case of being actual exists. 
[0023]Next, a communications processing flow in case an external client computer (1000) accesses to the 
internal network (3200) in a specific site (3000) is explained using drawing 3 . Processing is started by 
4000. By 4001, the client software (1003) on an external client computer (1000) publishes the processing 
request packet to a specific site (3000). Although the final address of said processing request packet is the 
internal server computer (3220) and internal client computer (3230) on an internal network (3200), the 
packet request destination actually published is a boundary server computer (3120) on a boundary network 
(3100). By 4002, the processing request packet which the external client computer (1000) published is sent 
to an external router (31 10) via a public circuit (2000). The processing request packet by which packet 
filtering of the external<-> boundary communication control part (3111) in an external router (3110) was 
performed, the address and the packet kind were judged, and justification was checked by 4003 is sent to 
a boundary server computer (3120). Here, processing is ended when the justification of a packet is 
inaccurate (4010). 

[0024]The processing request packet which reached the boundary server computer (3120) in 4004, It is 
sent to the boundary server (3123) in a boundary server computer (3120), and by a client specification 
processing corresponding point (3124). If check of the contents of a packet and attestation of delivery 
origin are performed and justification is checked, in order to newly send to an internal network (3200) from 
a client specification processing corresponding point (3124), packet conversion and required authenticating 
processing are performed and a packet sends to an internal router (3210). Here, processing is ended when 
attestation of case [ where the justification of the contents of a packet is inaccurate ], and delivery origin 
goes wrong (4010). The packet by which packet filtering of the internal<-> boundary communication control 
part (321 1) in an internal router (3210) was performed, the packet kind after conversion was judged, or the 
check of the address was performed, and justification was checked by 4005 is sent in an internal network. 
[0025]On the other hand, processing will be ended, if a packet kind is inaccurate or an address check goes 
wrong (4010). By 4006, the packet which arrived at the internal network (3200) is sent to the internal server 
computer (3220) and internal client computer (3230) which perform processing eventually, and a 
processing demand is performed. The above is a series of communications processing flows in case an 
external client computer (1000) accesses to the internal network (3200) in a specific site (3000). 
[0026]Here, the problem of the security in the composition of drawing 2 is described. 
[0027]Generally, encryption of the contents, etc. are given, and the packet which flows through the inside 
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of a public circuit (2000) and the network of a specific site (3100, 3200) is safely designed, even when 
tapping etc. are encountered comparatively. However, the system (3122) which operates as a base of the 
boundary server (3123) which exists on a boundary network (3100) generally comprises a circulation OS 
and middle software, and the internal structure is easy to be analyzed. As a role of a boundary server 
(3123), The information from outside is processed and also the security level of the external router (31 10) 
is inevitably set up low in the meaning with the duty which disseminates information outside of filtering of a 
packet compared with the internal router (3210) in many cases. Therefore, it is easy for an external 
inaccurate invader to try the unjust invasion to the boundary server computer (3120) on a boundary 
network (3100), or to send in an inaccurate analysis program. 

[0028]When it is accessed illegally or an unjust program is sent in, the analysis and an alteration of the 
contents of a processing request packet sent, and also the analysis and the alteration of a packet which 
are sent to an internal network are performed. And the internal networks in a company etc. are eventually 
allowed invasion, sending of disclosure, a virus, etc. of extra sensitive information etc. is performed, and it 
suffers serious damage in many cases. Of course, as the measure, it is also possible to work considering 
the system (3122) on the boundary server computer (3120) of a boundary network (3100) as an original 
system. However, applications including the server which operates on a system in that case also need to 
prepare a completely original thing, and flexibility falls remarkably. 

[0029]ln order to solve the problem on said security, the lineblock diagram at the time of being adapted for 
the boundary server computer (3120) on a boundary network (3100) in the system configuration of this 
invention explained by drawing 1 is shown in drawing 4. 

[0030]The composition contents of drawing 4 are explained. 1000, 1001, 1002, 1003, 2000, 3000, 3100, 
3110, 3111, 3120, 3121, 3122, 3122, 3123, 3124, 3200, 3210, 3211, 3220, and 3230 are together with the 
composition explained by drawing 2 . 300 is the multiplex system parallel operation kernel explained by 
drawing 1. The client specification processing demand preserving part which is a storing region for 3125 to 
save temporarily the processing request packet from an external client (1000). Interface hardware for 3126 
to perform communication with an internal server computer (3220) on a boundary server computer (3120). 
The supervising system with which 3127 performs contents supervision of a client specification processing 
demand preserving part, and the unfair operation/invasion monitoring of a system (3122). Interface 
hardware for 3321 to communicate an internal server computer (3220). The system by which 3222 works 
on an internal server computer (3220). 3223 is server software which operates on said system (3222), and 
is called an internal server. The client specification processing demand acquisition part from which 3224 
acquires the processing request packet from [ from a client specification processing demand preserving 
part (3125) ] an external client (1000) with directions of a supervising system (3127). The client 
specification processing internal network corresponding point for 3225 receiving a processing request 
packet from a client specification processing demand acquisition part, and sending a processing request 
packet to the specification computer in an internal network. Interface hardware for 3226 to perform 
communication with a boundary server computer (3120) on an internal server computer (3220). Exclusive 
gateway LAN which is a network with which 3300 connects the communication-interface hardware (3326) 
of an internal server computer (3220), and the communication-interface hardware (3126) of a boundary 
server computer (3120). 
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[0031 ]The feature of this composition just adopted as the boundary server computer (3120) the multiplex 
system operation kernel (300) explained by drawing 1 . Said multiplex system operation kernel (300) loads 
a supervising system (3127) besides the same system (3122) as usual at the time of boundary server 
computer (3120) starting. These are realized in the system interruption control section (301) and system 
memory space management department (302) which were explained by drawing 1. moreover - although 
said each system is operating on one computer - a system (3122) - a boundary network (3100) - a 
supervising system (3127) - exclusive gateway LAN (3300) - it is completely connected with the separate 
network, respectively. The communication-interface hardware (3121, 3126) which each system manages 
also in hardware is constituted so that hardware information by the side of other systems cannot be 
detected. This is realized in the hardware quota system part (305) explained by drawing 1 . That is, the 
computer which completely has a separate security level constitutes the environment intermingled 
independently from on one computer. 

[0032]A supervising system (3127) is a multiplex system parallel kernel (300) course, and supervises the 
system (3122) side periodically. For this reason, as for the needed information from a reverse system 
(3122), the multiplex system parallel kernel (300) has performed setting out which is not received, although 
the needed information and the answer from a supervising system (3127) permit access. This is realized 
by the interior communication control section between systems explained by drawing 1 . If it seems that the 
system (3122) side has received, the processing request packet from an external client (1000), A 
supervising system (3127) sends directions to an internal server computer (3220) via exclusive gateway 
LAN (3300), an internal server computer (3220) acquires a processing request packet, and a processing 
request packet is eventually sent to the specification computer in an internal network. 
[0033]When an inaccurate person invades into the system (3122) on a boundary server computer (3120) 
or an unjust program etc. are sent in, Also when a supervising system (3127) detects and also unlawful 
access is tried by the multiplex system parallel kernel (300), A multiplex system parallel operation kernel 
(300) detects, and it is notified to a supervising system (3127), and the end/reboot by the side of a system 

(3122) are performed by directions of a supervising system (3127), and an administrator is notified of the 
notice. This is realized by the system startup end controlling part (304) explained by drawing 1 . 

[0034JA communications processing flow in case the external client computer (1000) using the composition 
of drawing 4 accesses drawing 5 to the internal network (3200) in a specific site (3000) is explained. Since 
processing until a processing request packet is sent to a boundary server computer (3120) is the same as 
that of drawing 3 , explanation after it is given here. Processing is started by 5000. The processing request 
packet which reached the boundary server computer (3120) in 5001, It is sent to the boundary server 

(3123) in a boundary server computer (3120), and by a client specification processing corresponding point 

(3124) . When check of the contents of a packet and attestation of delivery origin are performed and 
justification is checked, it is stored in a client specification processing demand preserving part (3125) from 
a client specification processing corresponding point (3124). Here, processing is ended when attestation of 
case [ where the justification of the contents of a packet is inaccurate ], and delivery origin goes wrong 
(5010). A supervising system (3127) by 5002 via a multiplex system parallel operation kernel (300), When 
a client specification processing demand preserving part (3125) is checked and a processing request 
packet exists, if it is a just packet, by checking the contents of a packet via exclusive gateway LAN (3300), 
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Directions of packet acquiring are taken out to the client specification processing demand acquisition part 
on an internal server (3223). Here, processing is ended when the justification of the contents is inaccurate 
(5010). By 5003, from a client specification processing demand preserving part (3125), a client 
specification processing demand acquisition part acquires a processing packet, and sends the packet to a 
client specification processing internal network corresponding point (3225). By 5004, a client specification 
processing internal network corresponding point (3225) sends to the internal server computer (3220) and 
internal client computer (3230) which perform processing eventually, and a processing demand is 
performed. External client computers (1000) when the above uses the system configuration of this patent 
are a series of communications processing flows when accessing to the internal network (3200) in a 
specific site (3000). 

[0035]Explanation of one example of this invention is finished above. 
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DESCRIPTION OF DRAWINGS 

[Brief Description of the Drawings] 

[ Drawing 1]The system configuration figure of this invention. 

[Drawing 2]The lineblock diagram of the present public circuit ************. 

[Drawing 3] The flow chart of the present public circuit ******** control management. 

[Drawing 4]The lineblock diagram at the time of using this invention for public circuit ************. 

[Drawing 5]The flow chart of the public circuit ******** control management by this invention. 

[Description of Notations] 

100 [ - Multiplex system parallel operation kernel, ] -- A computer, 201 -- Systems 1 and 202 -- Systems 2 
and 300 301 -- A system interruption control section, 302 -- System action memory space Management 
Department, 303 [ - System common management hardware, 401 / - System 1 management hardware, 
402 / -- System 2 management hardware. ] -- The interior communication control section between systems, 
304 - A system startup end controlling part, 305 -- A hardware quota system part, 400 
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